Title: The DBMS must support organizational requirements to employ automated patch management tools to facilitate flaw remediation to organization defined information system components.
Vulnerability ID: V-32575
IA Controls: None
Description: The organization (including any contractor to the organization) shall promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling, shall also be addressed expeditiously. Due to information system integrity and availability concerns, organizations shall give careful consideration to the methodology used to carry out automatic updates.
Automated patch management can be useful in ensuring that appropriate patches are scheduled and applied to databases as required. DBAs often support multiple databases in different environments and with different classification levels. This can lead to confusion if patch management is not automated, leading to inconsistent patching.
Check Text: Review DBMS vendor documentation to determine whether the DBMS supports automated patch management. If the DBMS does not provide this functionality determine whether a third party product is being used for automated patch management. If the DBMS does not support automated patch management, and a third party product is not utilized to provide this functionality, this is a finding.
Fix Text: Utilize a DBMS product that supports automated patch management or implement a third party product to provide this functionality.